FICO purchases alums' cyber risk startup

A cyber risk startup company led by Mingyan Liu (MSSE 1997; EE PhD 2000), Manish Karir (EE BS 1996; EE MS 1999) and Wesley Huffstutter has been purchased for an undisclosed amount by FICO, the company known for its credit rating scores.

QuadMetrics, licensed from the University of Michigan in 2015, leverages predictive analytics to monitor signals from both open source and proprietary data sources to provide an overall security score for an enterprise. The score helps security professionals address gaps and enables partners and insurers to understand a firm's security risk.

"We have built a system using state-of-the-art Internet measurement and predictive analytics techniques to enable quantitative security risk assessment as well as proactive measures. Ours is the only predictive solution currently on the market," said Liu, QuadMetrics’ chief science officer and professor of electrical engineering and computer science at the University of Michigan.

As a student at Maryland, Liu was advised by Professors John Baras (ECE/ISR) and André Tits (ECE/ISR). Early in her career, Liu's research focused on optimizing resource allocation over wireless networks. This work relied heavily on game theory and problems involving several self-interested parties sharing resources. Liu found many analogies for these sorts of problems in cybersecurity, and shifted her focus to designing incentive mechanisms for companies to enhance security measures. QuadMetrics’ system stems from Liu's research in cybersecurity and insurance markets at Michigan.

Karir was also advised by Baras for his MS degree and worked on security of Internet over satellite protocols. He showed in his MS Thesis that Layered IPSEC (using different keys to encrypt the IP packet header and the IP packet body), can be done very efficiently (meaning the additional delay and energy are negligible). This advance was critical in making the protocols invented by Baras’ research group for Internet over satellite secure and thus competitive to terrestrial alternatives. Layered IPSEC became a standard adopted by ETSI and IETF.

There are a pair of services to help companies both assess the effectiveness of their security and decide the best way to allocate or increase their security budget.

“Signet Scope” determines how secure an organization is and its vulnerability to certain types of attacks. Internet data measurements are collected from the organization and applies data analytics and machine learning techniques are applied to find cybersecurity holes that might be exploited by criminals.

“Signet Profile” provides one of the first means to determine premiums for cyber insurance, which operates on the same principles as home or auto insurance. An underwriter takes on the risk that a company may face a data breach, and covers the cost of repairing the damage should it be victimized. Determining what a premium should be for a given company previously relied on interviews and surveys of IT staff, which have proven to be unreliable metrics.

“Rarely do cyber insurance companies get ahold of information that’s really important and indicative of the risk that the company is facing,” says Liu.

Signet Profile offers insurers a summary of the company’s security strengths and weaknesses. It quantifies the risks a company is facing, allowing an insurance company to produce a more reliable cost estimate.

Liu hopes this will accomplish a shift in how companies view cyber insurance. Right now organizations buy these policies to transfer risk on to an underwriter, but a QuadMetrics profile could create incentives for them to work to reduce their risk. Better security could mean lower insurance premiums – and more secure customer information.

Doug Clare, vice president of cyber security solutions at FICO, said, "We're excited to have the QuadMetrics team—and their deep expertise—joining us in our efforts to fight cyber crime and help all organizations improve their visibility and insights into cyber risk. Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise cyber security risk."

--Thanks to Greta Guest of the University of Michigan for this story

| Read coverage of the story at the Wall Street Journal | Read the original stories published by the University of Michigan | here | and here |